If you are unsure whether your business has the right protections to avoid costly data breaches, you’re not alone. Most SMBs in the UK are unprepared when it comes to dealing with cyber threats.
In my role as a cyber security expert here at Babble, I’ve spent years helping businesses like yours implement effective cyber security strategies and proactively improve their cyber security posture. But one of the first questions I almost always get is “How much should I invest in cyber security?”.
In this blog, I’ll break down the must-have areas of investment and cost considerations that will make sure your cyber security budget covers all the bases. I’ll also mention some common mistakes SMBs make when allocating their budgets. By the end of reading this, you’ll know exactly where your money needs to go.
–
Reading Time: 6 minutes
What This Blog Covers:
So, how much money are we talking about?
When most people ask what goes into a cyber security budget, what they really want to know is how much they should be spending in the first place. I’d recommend 15 to 20% of your total IT budget. Yes, that might seem like a hefty chunk, but consider this: the fallout from a cyber breach — think lost intellectual property, money down the drain, and a trashed reputation — that’s going to hurt way more than that initial spend.
The Three Core Pillars: People, Devices, and Places
Now that you know how much you should invest, let’s talk about where you should invest that money. A cyber security budget has three fundamental areas of investment: people, devices, and places. They form the foundation for any cyber security budget that no business can afford to cast to the side. Think of it as securing your business from all angles.
People: The Most Critical Asset
While most IT managers think of purchasing new tools and technologies when they think of investing in cyber security, I always like to start with the people aspect. Why? Because people are the biggest cyber threat. Whether an incident happens onsite or remotely, a device is compromised. The step before that is usually someone made a mistake – like clicking on a suspicious link – not because of some super advanced hack. This highlights that human error is a critical vulnerability to address in your cyber security strategy.
I cannot stress enough how crucial user awareness training is. All the tech you purchase is only as good as the people using it. So, they need to know just what goes into keeping your business safe. The good news is that investing in your people is the most effective solution, and is usually the lowest cost.
Devices: Protecting Your Entry Points
In the modern workplace, employees frequently use a variety of devices, often in remote settings. These devices act as entry points to the organisation’s network and data. Think of your devices as a doorway to your business. Not securing them is like leaving your front door open – which would be less than wise, regardless of the neighbourhood you live in.
If any device in your organisation is compromised, you need to ensure that you have proactive measures in place that will limit the damage of a data breach. Securing devices is therefore a critical priority, particularly given the rise in remote working and the fact that people are constantly traveling. As such, it’s important to implement robust security measures like Multi-Factor Authentication (MFA) to ensure only authorised personnel gain access to these devices.
Places: Securing Your Network
Because your organisation’s devices connect to a network, the security of that network is another key part of your security posture. Having a stable enough connection to do your job is one thing, but it’s more important to make sure that said connection is secure. Doing so requires traditional firewalls at the very least. You need firewalls in your head office, data centres and even your smaller remote sites.
I like to use another analogy when breaking this down for my clients. Think of your network as a kingdom that needs strong castle walls (firewalls) to protect your data while effectively controlling traffic within your organisation.
Cost Considerations: Upfront vs. Ongoing
It’s tough out there right now, and I get it – the Technology Industry Outlook 2025 report by RSM shows that 70% of UK SMBs in the IT sector are focused on cutting costs due to the current economic situation. It’s a reminder that we all need to be smart about saving during these challenging times.
With that in mind, it’s important to consider that many cyber security solutions can be delivered as a monthly service, which can be more financially manageable for businesses. I’m seeing a lot of customers taking this approach: anything that can be done on an OpEx monthly basis rather than a big CapEx investment is right for them. This gives them much more flexibility and choice, which is especially helpful because if your business is growing or your capabilities needs change, you can scale your security solutions accordingly.
Let’s unpack what these costs look like:
- Upfront Costs: These are generally for things like physical firewalls and other hardware, but even those can often be paid for monthly.
- Ongoing Costs: Luckily, most security solutions like endpoint protection and MFA can be provided every month. I recommend this approach because it’s much more flexible than big capital investments. This will allow you to grow and adapt without breaking the bank.
Common Mistakes to Avoid
In a recent report, the UK’s National Cyber Security Centre (NCSC) has made it clear that most UK SMBs – who are a major target – aren’t ready for the cyber attacks coming this year. This is a swift reminder that we all need to step up our cyber security game – and quickly. But before you rush to buy the latest cyber security tech, here are some common mistakes that you should avoid so you can spend that 20% wisely:
Rigid Budgets: I see it all the time, businesses with a yearly budget review process. This just doesn’t work. You have to be flexible and be able to make changes quickly. You need to review your budgets at least quarterly, not just for security, but for all IT. The world of cyber security moves incredibly fast.- Single Vendor Dependency: Don’t put all your eggs in one basket. Going all-in with one vendor, like Microsoft or Cisco, isn’t the smartest move. You need a multi-layered approach, bringing together different tools from different vendors like Mimecast or Acronis, with your Microsoft stack, for example. No vendor is 100% effective, so it’s about giving yourself the best chance of staying safe.
Ultimately, a solid cyber security budget will be one that is tailored to your specific business needs. The best way to do this is to get in touch with a cyber security expert who can help you understand your unique situation and allocate resources to suit those needs.
Secure Your Business Effectively and Affordably
Securing your business doesn’t have to break the bank. By making smart investments and focusing on cost-effective solutions, you can achieve a strong security posture without exceeding your budget.
Remember to cover the essentials in your budget: training for your people, securing your devices, and protecting your network. Opt for flexible, monthly service options to avoid large upfront costs and adapt to changing needs. Lastly, diversify your security solutions by using multiple vendors.
At Babble, I understand the challenges SMBs face when it comes to cyber security. I’m committed to providing expert guidance and support to help you make informed decisions.
As you get ready to put your budget together, be sure to check out my blog on the 5 Essential Security Tools Your SMB Needs to Have.
